General

Thinking Outside The (Windows) Box, Part I — continued

by Lisa Phifer VP Core Competence, Inc. [December 23, 2005]

Changing your Outlook
Browsers and e-mail clients go together like toast and jam. Outlook Express has been installed by default on every PC since Windows 95; full-blown Outlook is packaged with Microsoft Office. These programs may be less closely tied to Windows than IE, but at #4 on the SANS Top 20, they are compromised nearly as often.

For example, an Outlook Express remote code execution vulnerability was documented in June 2005, letting a malicious newsgroup server take complete control of a user's PC. In February 2005, an OLE and COM vulnerability was found in many Microsoft Office products, including Outlook 2003. Due to the way those products access memory using COM structures, a privilege elevation loophole let any user to take complete control of the system. In late 2004, a buffer overrun vulnerability in JPEG image processing was found to allow remote code execution and complete take-over of PCs running Outlook 2003 and many other Microsoft products.

Beyond code bugs, Outlook is perhaps best known for its propensity to spread mass mail worms. Melissa and ILoveYou worms are Outlook oldies-but-goodies. Bubbleboy, the first worm spread by e-mail without opening an attachment, exploited the Outlook preview panel to run whenever users viewed an infected message. The now-infamous Nimda worm exploited Outlook's MIME attachments and integrated address book. And the list goes on. To date, hundreds of worms have exploited the tight integration between IE, Outlook, and associated Personal Information Manager (PIM) data.

To deter these attacks, many administrators began to disable dangerous Outlook features like ActiveX Controls and Visual Basic Scripting as far back as the year 2000. More recently, XP SP2 included several Outlook Express security updates: treating e-mail as a restricted zone by default, warning users about suspicious attachments, and blocking embedded image display in HTML-formatted e-mail from unknown sources. To learn about these Outlook security and "anti-spam" patches, read this Microsoft bulletin.

Outlook is by far the most commonly-used e-mail client. As such, it will continue to attract considerable attention from malware writers. Clearly, one tactic to side-step Outlook attacks is to use an alternative e-mail client. For example, using another e-mail client would not have prevented you from receiving Nimda, but it could have prevented you from propagating Nimda by sending it to everyone in your address book.

This approach is hardly new; I myself have used an alternative e-mail client for years. But many businesses are heavily invested in Outlook and its extensive integration with other Microsoft Office products (e.g., Word, PowerPoint, Excel, Project, Access), as well as Exchange, Microsoft's messaging server, and Outlook Web Access, the browser client interface to Exchange. As a result, for most large enterprises, adopting an alternative e-mail client may not be palatable.

On the other hand, alternative e-mail clients can be very attractive to small businesses and residential users—particularly those who just need a reliable, safe POP3 or IMAP client to retrieve messages from ISP-hosted mailboxes. Beyond avoiding Outlook exploits, alternative e-mail clients offer value-added features like simpler users interfaces, junk and phishing e-mail filtering, integrated virus protection, and Secure MIME or PGP plug-ins. Part 3 of this series will introduce several free e-mail clients and illustrate why so many people prefer using them instead of Outlook Express.

Getting fired up
The only real surprise about the Windows Firewall is how long Microsoft waited to add this fundamental Internet security measure to the operating system. Until XP SP2, Windows users had no choice but to depend on third-party firewalls or risk exposure to the big bad Internet.

A new host connected to the Internet will be probed by port scans within hours. Using the Internet without a firewall was always unsafe, but broadband and wireless have heightened the risk. In a July 2005 Pew Charitable Trust Spyware report [.pdf], broadband users were more likely than dial-up users to report that a new program they did not install appeared on their computer. According to Pew, "The faster the connection, the greater the chance for unwanted software to sneak onto a machine."

Desktop firewalls defend hosts from network attacks, like remote access to fileshares, spyware and adware "phone home" sessions that expose data, worms that propagate over the Internet, and trojans that let attackers take control from afar. Firewall programs fall into two camps: enterprise endpoint security suites and personal firewalls. Enterprise suites combine several security programs (including firewall) under one centrally-managed umbrella. Personal firewalls are designed for installation and configuration by residential users, home offices, and small businesses.

The SP2 Windows Firewall is one example of a personal firewall. Other commercial examples include Norton Personal Firewall, McAfee Personal Firewall Plus, and BlackICE PC Protection (to name just a few). In Part 4 of this series, we will examine several alternative personal firewalls that are free for individual use.

Why use another personal firewall instead of the new Windows Firewall? For starters, you may need a firewall that supports non-XP PCs, or does not force everyone to upgrade to SP2. If you're an ISP, hotspot operator, or school network administrator, you're probably not in a position to mandate client operating systems. Note that we also did not discuss changing your OS to avoid IE or Outlook bugs. Running desktop Linux may be attractive for power users, but the goal of this series is to find free alternatives that the average consumer can easily substitute for default applications on Windows PCs.

Those running XP SP2 should still seriously consider an alternative personal firewall. Microsoft is relatively new to this market, and the Windows Firewall is not as full-featured as many other personal firewalls. For example:

• The Windows Firewall blocks unauthorized inbound connections; this can help evade detection by portscans and deny remote connections aimed at backdoor trojans.
  
  
• However, the Windows Firewall does not block the outbound connections so often initiated by spyware, worms, DoS zombies, and blended threats.
  
  
• It does not permit Internet use only by trusted programs, or verify the integrity of those programs to prevent application spoofing.
  
  
• While the Windows Firewall permits exceptions, they are not as granular as many other personal firewalls, making it harder to accomplish goals like selective filesharing in a mixed-trust network.
  
  
• Windows Firewall policies can be tampered with through Registry modification (see CVE-2005-2765) and programmatically disabled through WMI, enabling bypass by malware that exploits a privilege escalation bug.

Broadband router firewalls and integrated desktop firewall services (e.g., AOL firewall) have impacted demand for stand-alone personal firewalls. Entry-level routers are rarely robust when it comes to firewalling—their usual default (allow everything out, block everything in) is like the Windows Firewall. Large providers like AOL, Comcast, and Earthlink can add commercial firewall software to their client packages. Regional ISPs who cannot afford that should still recommend personal firewalls to SOHO customers. Part 4 of this series will enumerate several personal firewalls that just might fit the bill.

Stay tuned...
Whether you go with an alternative browser, e-mail client, or personal firewall, or you decide to stick with Microsoft Internet Explorer, Outlook, or Windows Firewall, considering your options is never a bad idea. In this introduction, we focused on security risks associated with these embedded Windows applications. To be sure, alternative programs have their own security risks—and deployment and helpdesk costs. But there are many alternatives out there, and we hope that this series helps you to understand what's available and why you might choose to use them. Coming soon:

• Part 2: Free Windows Web Browsers
• Part 3: Free Windows E-mail Clients
• Part 4: Free Windows Personal Firewalls

—End

< Back to page one